CVE-2024-27303 – app-builder-lib

Package

Manager: npm
Name: app-builder-lib
Vulnerable Version: >=0 <24.13.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00082 pctl0.24745

Details

electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only) ### Impact Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. ### Patches Fixed in https://github.com/electron-userland/electron-builder/pull/8059 ### Workarounds None, it executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer. ### References https://cwe.mitre.org/data/definitions/426.html https://cwe.mitre.org/data/definitions/427

Metadata

Created: 2024-03-04T20:42:45Z
Modified: 2024-03-06T21:36:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r4pf-3v7r-hh55/GHSA-r4pf-3v7r-hh55.json
CWE IDs: ["CWE-426", "CWE-427"]
Alternative ID: GHSA-r4pf-3v7r-hh55
Finding: F098
Auto approve: 1